authzed-codegen

This repository contains a Type-Safe Code Generation tool for SpiceDB schemas.

AuthZed is a powerful authorization engine built around SpiceDB that allows you to define and manage your authorization policies using the Zanzibar-inspired schema language. This code generation tool parses SpiceDB .zed schema files and generates type-safe Go code, making it easier to work with your authorization policies in a compile-time safe manner.

TLDR: .zed schema files → type-safe Go code generation.

Installation

From Go Install

go install github.com/oitnes/authzed-codegen/cmd/authzed-codegen@latest

From Source

git clone https://github.com/oitnes/authzed-codegen.git
cd authzed-codegen
make build
# or
go build -o authzed-codegen ./cmd/authzed-codegen

Usage

Generate Go code from SpiceDB schema files:

authzed-codegen --schema path/to/schema.zed --output path/to/output/directory

Command Line Options

• --schema or -schema: Path to the input .zed schema file (required)
• --output or -output: Output directory for generated Go files (required)

Features

✅ Supported SpiceDB Schema Features

• Definitions: Object type definitions with relations and permissions
• Relations: Type-safe relation definitions with union types (e.g., user | customer)
• Permissions: Complex permission expressions with full operator support:
  • + (Union): Combines relations/permissions
  • - (Exclusion): Removes subjects from a set
  • & (Intersection): Finds common subjects
  • -> (Arrow): Traverses object hierarchies for nested permissions
  • () (Grouping): Parentheses for expression precedence
  • | (Union): Union of relation types
  • :* (Wildcard): Universal access patterns
• Namespaces: Support for prefixed definitions (e.g., menusvc/order, bookingsvc/booking) and regular (e.g., order)
• Comments: Line comments (//) and block comments (/* */)

Generated Go Code Includes

• Type-safe constants for all object types, relations, and permissions
• Struct types for relationship objects and permission input validation
• CRUD operations for relationships:
  • Create{Relation}Relations() - Create new relationships
  • Delete{Relation}Relations() - Remove relationships
  • Read{Relation}{Type}Relations() - Read existing relationships
• Permission checking methods:
  • Check{Permission}() - Verify if permission is granted
  • Lookup{Permission}Resources() - Find resources with permission
  • Lookup{Permission}{Type}Subjects() - Find subjects with permission
• Utility functions for type conversion and ID management

Dependencies

The generated code depends on the authz package which provides:

• SpiceDB client integration
• Type definitions for resources, relations, and permissions
• Runtime methods for authorization operations

Contributing

Contributions are welcome! Please:

1. Open an issue to discuss proposed changes
2. Fork the repository and create a feature branch
3. Add tests for new functionality
4. Submit a pull request with a clear description

License

This project is licensed under the MIT License. See the LICENSE file for details.